Ireland’s Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe that will add to its ile throat: the regulator said yesterday that it has launched two investigations into the video sharing platform Tiktok.
The first covers how TikTok handles children’s data and whether it complies with Europe’s General Data Protection Regulation.
The DPC also said it would investigate Tiktok for transferring personal data to China, where its parent unit is based – to see if the company meets the requirements set out in the regulation covering personal data transfer in third countries.
Tiktok was contacted for comment on the DPC’s investigation.
The spokesman told us:
“The privacy and security of the Tiktok community, especially of our youngest members, is a top priority. We have implemented comprehensive policies and restrictions to protect user data and rely on valid methods for data transferred from Europe, such as the terms of the standard agreement. We intend to extend full cooperation to the DPC.
The announcement of two “voluntary” inquiries by the Irish regulator follows pressure from other EU data protection authorities and consumer protection groups who have expressed concern about how Tiktok handles information in general and children in particular.
In Italy this January, TikTok was ordered to re-check the age of every user in the country, while the Data Protection Watchdog launched an emergency process using GDPR powers following child safety concerns.
Tiktok continued to comply with orders – removing more than half a million accounts where it could not verify that users were not children.
This year European consumer protection groups have also raised a number of child safety and privacy concerns about the platform. And, in May, EU legislators said they would review the company’s terms of service.
On children’s data, GDPR sets limits on how children’s information can be processed, putting age limits on the ability to consent to the use of children’s data. The age limit varies from EU member state but there are strict limits on the ability of children to consent at the age of 13 (some EU countries set the age limit at 16).
In response to the DPC’s investigation announcement, Tiktok pointed to the use of its age-getting technology and other strategies it said it uses to find and remove underage users from its platform.
It also marks recent changes around children’s accounts and data – such as default settings to keep their accounts private by default and limiting certain features that deliberately encourage interaction with other TikTok users. .
While on international data transfer it claims to use “valid methods”. However the picture is more complicated than Tiktok’s statement. It is complicated by the fact that there is no EU data adequacy agreement with China to transfer the data of Europeans to China.
In the case of Tiktok, this means that, in order to transfer any personal data to China, it is necessary to have additional “proper security” to secure the information to the required EU standard.
While there are no adequate arrangements, data controllers can potentially rely on methods such as the Standard Contractual Clause (SCC) or the Binding Corporate Rules (BCR) – and TickTock’s statement notes that it uses SCC.
But – crucially – the transfer of personal data from the EU to third countries has faced significant legal uncertainty and added scrutiny following a landmark ruling by the CJEU last year that invalidated key data transfer arrangements between the US and the EU. The DPC of Ireland, for example, has a duty to admit and suspend the flow of people’s data to a third country where it is likely to be at risk.
So while the CJEU did not completely invalidate mechanisms such as SCCs, they essentially said that all international transfers to third countries should be evaluated on a case-by-case basis and where DPA is concerned, it should step in that unsecured data and suspend it. Should do. Flows.
The CJE ruling means that the fact that a mechanism like SCC is used does not mean that there is any legitimacy of a specific data transfer on its own. It also increases pressure on EU agencies such as Ireland’s DPC to remain active in assessing risky data flows.
The final guidelines, issued by the European Data Protection Board earlier this year, provide details on the so-called ‘special measures’ that data controllers can apply to increase the level of protection around their specific transfers so that information can be legally taken to a third country. .
But these steps may include technical measures such as strong encryption – and it’s not clear how a social media company like TikTock could implement such a fix, given how its platform and algorithms look to constantly customize users’ data. And to keep them connected to Tiktok’s advertising platform.
In other recent developments, China has just passed its first data security law.
But, again, this is unlikely to change much for the EU transfer. The continued use of personal data through the use of digital surveillance laws by the Communist Party regime means that it is impossible for China to meet the EU’s strict requirements for data adequacy. (And if the U.S. could not get enough of the European Union, it would be an ‘interesting’ geopolitical optics, to put it mildly, the prestigious status given to China …)
One factor TikTok may consider is that it has time on its side when it comes to EU implementation of its data protection rules.
The Irish DPC has a huge backlog of cross-border GDPR investigations from a number of tech giants.
Earlier this month, the Irish regulator last issued its first ruling against a Facebook-owned company – imposing a 267 million fine on WhatsApp for violating GDPR transparency rules (but only years after the first complaint was filed).
The DPC’s first decision in a cross-border GDPR case involving Big Tech came late last year જ્યારે when it fined Twitter ડેટા 550k for data breaches from 2018 to date, the year GDPR began to apply technically.
The Irish regulator still has a number of unresolved cases at its desk – against tech giants, including Apple and Facebook. That means new ticktack probes join behind a very critical hurdle. And a decision on these probes has not been possible for years.
On children’s data, TikTok could face a quick scrutiny elsewhere in Europe: the UK has added some ‘gold-plating’ to its version of the EU GDPR in the field of children’s data અને and, as of this month, it has said it expects the platform to be recommended Complete the standards.
It warns that platforms that are not fully aligned with its age-appropriate design code could face penalties under the UK’s GDPR. The UK Code has been credited with encouraging recent changes in how social media platforms handle children’s data and accounts.